Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd63e6dbdf35db22…

MALICIOUS

PDF

66.2 KB Created: 2021-01-04 01:08:58 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c22b57521c0cc88233a1cd4c1f68303f SHA-1: 8517b0498a40ccd3de23c46b1e036076d8fa29e4 SHA-256: dd63e6dbdf35db22add81847eafb2db85c6aea7d653df25b4611627c5b456612
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous external links, with a critical heuristic firing for a 'PDF_SEO_LINK_FARM'. One of the primary external URIs points to 'https://trafffi.ru/aws?utm_term=virgin+australia+male+cabin+crew+uniform', and another significant link farm URL is 'https://fovavizudaz.weebly.com/uploads/1/3/4/3/134375550/6715920.pdf'. The ML classifier and ClamAV detection further support its malicious nature, indicating a phishing or trojan distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8721

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafffi.ru/aws?utm_term=virgin+australia+male+cabin+crew+uniform
    • https://fovavizudaz.weebly.com/uploads/1/3/4/3/134375550/6715920.pdf
    • https://cdn-cms.f-static.net/uploads/4418184/normal_5fd1216e98f7a.pdf
    • https://cdn-cms.f-static.net/uploads/4376087/normal_5fa5d7fe94107.pdf
    • https://cdn-cms.f-static.net/uploads/4368466/normal_5fb273330af84.pdf
    • https://babexunerasosib.weebly.com/uploads/1/3/4/6/134620176/napuzepemisabavesaga.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/dazawojob/afro_sound_songs.pdf
    • https://uploads.strikinglycdn.com/files/995e1eef-a688-46a6-af49-df1cff2e0edf/jibitaromizoju.pdf
    • https://uploads.strikinglycdn.com/files/ca0b01ef-d7f2-447f-aa55-1fda25652c9a/rufaxegejozorupojinaxaw.pdf
    • https://uploads.strikinglycdn.com/files/6e83bf76-a270-4e28-a05b-e7b17a2de8a0/verurexowepururaku.pdf
    • https://uploads.strikinglycdn.com/files/64263ee2-7d19-45f8-86d1-49d1609f7b82/vex_3_hacked.pdf
    • https://uploads.strikinglycdn.com/files/e6482deb-be7e-44a2-8490-df9723faf266/fofepo.pdf
    • https://s3.amazonaws.com/serogajugomiji/aerobic_workout_videos_free.pdf
    • https://uploads.strikinglycdn.com/files/08b11209-719c-425b-8996-fe8a96375210/best_universal_remote_control_for_samsung_smart_tv.pdf
    • https://uploads.strikinglycdn.com/files/df60b24c-b7b5-4ef3-a438-ecb5b77badec/36448915571.pdf
    • https://uploads.strikinglycdn.com/files/1215fdb1-3b0f-4a12-aa41-600a831bc3a8/nabalemapifav.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb13.bin
f634c6cc4dcf59cdcf46f0b40970e6c500b405c7d3c9aedc0c44d70459b893f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB13 5400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.